TrustArc Blog

Let’s talk P3P

September 13, 2010

By Fran Maier PresidentTRUSTe

Last Friday researchers at Carnegie Mellon University published a research report entitled, “Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens“. The researchers found invalid P3P compact policies (CP) for approximately 1/3rd of the 33,000 websites they evaluated and found that in 98% of these cases the invalid CPs resulted in cookies remaining unblocked by the Internet Explorer web browser under its default cookie settings. The report alleges that in a number of these cases the CP errors are intentional and amount to cookie blocking work-around by the offending sites. The report identifies 134 TRUSTe-certified websites with invalid CPs.

Let’s look at the bigger picture

TRUSTe certifies over 3,000 websites and less than 12 percent even use P3P compact policies. Moreover, among that 12 percent the researchers found that only 1/3rd had erroneous CPs. This 1/3rd error rate among TRUSTe-certified, P3P-using sites is virtually identical to what the researchers found in the field at large. At the end of the day, we’re talking about an issue that affects less than 4 percent of TRUSTe’s total client base.

What’s TRUSTe’s response?

We take privacy matters of any scope very seriously here and we have opened an investigation into the issues brought forward by these researchers. We’re reaching out to our clients identified in the report and seeking further information about their use of P3P technology.

As part of TRUSTe’s program requirements we obligate websites we certify that have P3P statements to self-attest to their P3P statement’s consistency with their standard web privacy policy. A website’s privacy policy is the core focus of TRUSTe privacy certification as it is the resource consumers look to most frequently when making privacy decisions online. If we find that any of these sites we certify have P3P policies that do not align with their standard web privacy policy, we will assist our clients to ensure that consistency is maintained.

Why do so few sites use P3P?

Despite having been around for over a decade, P3P adoption has not taken off. It’s worth noting again that less than 12 percent of the more than 3,000 websites TRUSTe certifies have a P3P compact policy. The reality is that consumers don’t, by and large, use the P3P framework to make decisions about personal information disclosure. Ari Schwartz, of the Center for Democracy and Technology, noted in a 2009 paper on P3P that while the idea behind P3P is a good one (using technology to increase transparency and simplify user choice) its shortcomings (prohibitive complexity and a misguided implementation strategy) critically hampered its adoption. The idea that privacy enhancing technologies (PETs) can be used to bring greater clarity and ease of use to consumers is a powerful one, and its an idea that we think a lot about here at TRUSTe. I look forward to devoting future posts on this subject, exploring PETs and frameworks that can move us beyond P3P toward achieving more significant market penetration and bringing simpler privacy solutions to consumers worldwide.